Re: heads-up: IPSEC is now FAST_IPSEC

rmind%netbsd.org@localhost said:
> Are you planning to remove old IPSEC code?
We should provide the KAME code as fallback for at least one
major release. Not that I don't trust the new code, but as
a matter of solid engineering.
> I think post-netbsd-6 branch (or even now?)
> would be a very good time.
Post-6-branch would be OK if no serious problems show up.
While we are here -- there are two places in the KAME code
where it interacts withe the "pf" packet filter:
-For policy lookup, a pf packet tag can be used as condition.
-There is some ifdefd code in sys/dist/pf/net/pf.c
which has probebly never worked in NetBSD, apparently
for interfaces with HW crypto support. (It does not get
compiled because someone forgot to include "opt_ipsec.h".)
Can you tell whether this should be pulled into FAST_IPSEC?
Policy lookup is actually something which could need some
improvement, because it is performance critical even is
IPSEC is not used for the connection in question. OpenBSD
has integrated this with the routing framework, but using
a packet filter as packet classifier would also be
a conceivable option. What are your plans with npf?
best regards
Matthias
------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------
Forschungszentrum Juelich GmbH
52425 Juelich
Sitz der Gesellschaft: Juelich
Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
Vorsitzender des Aufsichtsrats: MinDir Dr. Karl Eugen Huthmacher
Geschaeftsfuehrung: Prof. Dr. Achim Bachem (Vorsitzender),
Karsten Beneke (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt,
Prof. Dr. Sebastian M. Schmidt
------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------
Kennen Sie schon unsere app? http://www.fz-juelich.de/app